cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Showing results for 
Search instead for 
Did you mean: 

Community Tip - Learn all about PTC Community Badges. Engage with PTC and see how many you can earn! X

How to solve SSLHandshakeException?

yzhang1
1-Visitor

How to solve SSLHandshakeException?

Hi all,

I am now using getJSON function to get the content from an url, and the code is shown as below:

var params = {

proxyScheme: undefined /* STRING */,

headers: undefined /* JSON */,

ignoreSSLErrors: true /* BOOLEAN */,

useNTLM: undefined /* BOOLEAN */,

workstation: undefined /* STRING */,

useProxy: true /* BOOLEAN */,

withCookies: undefined /* BOOLEAN */,

proxyHost: 'proxy.companyname.com' /* STRING */,

url: "http://gateway-a.watsonplatform.net/visual-recognition/api/v3/classify?api_key=9cf5fa21fe8ff3d9eaa49d0319f329ae5ee7bb89&…" /* STRING */,

timeout: undefined /* NUMBER */,

proxyPort: '8080' /* INTEGER */,

};

// result: JSON

var result = Resources["ContentLoaderFunctions"].GetJSON(params);


I got the error message below:


Wrapped javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target Cause: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

But when I change the url to https://feeds.citibikenyc.com/stations/stations.json, can get the content.

Can anyone help solve this problem? Thank!



ACCEPTED SOLUTION

Accepted Solutions
CRArko
17-Peridot
(To:yzhang1)

Hi.

 

With that kind of error reported the cause is often that the certificate is missing from the Java keystore.

 

Is this a self-signed certificate? If so, try this procedure out:

 

Import the self-signed certificates from the external server into the ThingWorx trust store using the following steps:

  • Locate trust store used by ThingWorx
    • Enable SSL logging if needed by adding the following parameter: -Djavax.net.debug=ssl
    • Restart Tomcat
    • Review Catalina and stdout logs for the following line:

trustStore is: C:\Program Files\Java\jre1.8.0_141\lib\security\cacerts

  • Download the InstallCert.java script to the ThingWorx machine in the same location as the cacerts file identified above
  • Execute: javac InstallCert.java
  • Execute: java InstallCert externalserver:port
  • The Java application will prompt you to install the external certificate
  • A new jssecacerts should be generated with the external certificates in the same location as the cacerts file
  • Restarting Tomcat will indicate a new trust store: trustStore is: C:\Program Files\Java\jre1.8.0_141\lib\security\jssecacerts
  • Retest the operation that was failing earlier with the PKIX error

 

Let us know if this is successful or not.

 

-- Craig A.

View solution in original post

10 REPLIES 10
yzhang1
1-Visitor
(To:yzhang1)

The API key needs to be updated, but not influence the result.

pcheah
10-Marble
(To:yzhang1)

Hi Ying Nang Zhang,

Is your problem resolved? I have a similar problem here.

Any response to this? I also am having this problem.

Was this on ThinWorx version 8?

I am seeing similar error, not sure what the core issue is?

rajunall
5-Regular Member
(To:yzhang1)

Hello,

 

How did you solved the problem?

 

I am having the same problem.

 

Regards,

madhu

bwirz
4-Participant
(To:rajunall)

I had the same problem (EC2 Amazon Linux server, using TWX 8.1 Docker PostgreSQL), and it was not a self-signed certificate. The following worked for me:

 

Stop ThingWorx:
$ docker stop twxfoundation

 

Go to https://www.target_address.com/ and click on lock icon to view SSL certificates

Open Certificate and view Certificate Path - download each certificate in that path (Details -> Copy to File). Use first export option (must be X.509 certificate)

 

Upload downloaded certificates to your ThingWorx server

 

Import certificates into Docker keystores into TWX server, use following for reference:
https://adamtuttle.codes/TIL-adding-a-jvm-ssl-cert-docker/
https://stackoverflow.com/questions/21076179/pkix-path-building-failed-and-unable-to-find-valid-certification-path-to-requ/36427118#36427118

 

Find keystores in your TWX server (in my case Docker keystores, with a path that included "/docker/overla2"):

$ sudo find / -iname 'cacerts'

 

Import each certificate into each keystore, for example (storepass is "changeit" by default):

$ sudo keytool -importcert -alias myApiCert -keystore "/data/docker/overlay2/blahblah123/diff/opt/jdk1.8.0_92/jre/lib/security/cacerts" -file my_api_cert.cer -noprompt -storepass changeit

rajunall
5-Regular Member
(To:bwirz)

Hi, 

I got this problem, while installing ThingWorx Navigate when connecting to Windchill,

I have solved it importing the Windchill signing certificate into Java Keystore.

 

 

Regards,

madhu

 

desosav
6-Contributor
(To:rajunall)

Hi there,
i had the same issue and as rajunall commented, you have to import the windchill certificate into the cacerts.
After doing so I run the tomcat configuration and in Java options you should add the following entry:

-Djavax.net.ssl.trustStore=C:\Program Files\Java\jdk1.8.0_92\jre\lib\security\cacerts
replace the cacerts path according to your installation

CRArko
17-Peridot
(To:yzhang1)

Hi.

 

With that kind of error reported the cause is often that the certificate is missing from the Java keystore.

 

Is this a self-signed certificate? If so, try this procedure out:

 

Import the self-signed certificates from the external server into the ThingWorx trust store using the following steps:

  • Locate trust store used by ThingWorx
    • Enable SSL logging if needed by adding the following parameter: -Djavax.net.debug=ssl
    • Restart Tomcat
    • Review Catalina and stdout logs for the following line:

trustStore is: C:\Program Files\Java\jre1.8.0_141\lib\security\cacerts

  • Download the InstallCert.java script to the ThingWorx machine in the same location as the cacerts file identified above
  • Execute: javac InstallCert.java
  • Execute: java InstallCert externalserver:port
  • The Java application will prompt you to install the external certificate
  • A new jssecacerts should be generated with the external certificates in the same location as the cacerts file
  • Restarting Tomcat will indicate a new trust store: trustStore is: C:\Program Files\Java\jre1.8.0_141\lib\security\jssecacerts
  • Retest the operation that was failing earlier with the PKIX error

 

Let us know if this is successful or not.

 

-- Craig A.

jxu2
10-Marble
(To:CRArko)

Hi Craig A.,with "java InstallCert externalserver:port",what the "port"should be?Thanks.

Announcements


Top Tags